Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure AD B2C Support #175

Open
markti opened this issue Nov 8, 2019 · 24 comments
Open

Azure AD B2C Support #175

markti opened this issue Nov 8, 2019 · 24 comments

Comments

@markti
Copy link

markti commented Nov 8, 2019

Does this provider support Azure AD B2C? If not, what provider can I use to support Azure AD B2C?

@mikebollandajw
Copy link

i am also interested in this

@jackbatzner
Copy link
Contributor

I'd love this as well!

@hhao01-becls
Copy link

For application, we can use this provider to create an application in the B2C directory.

The key point it that you must manually create a service principle and use this service principle to create an application the B2C directory by Terraform.

The example is below.

provider "azuread" {
  version = "=0.3.0"
  subscription_id = "There is no subscription in the B2C directory, so you can use the tenant id as subscription id."
  client_id = "The id of service principle"
  client_secret = "The secrect created in the service principle"
  tenant_id = "tenant id"
}

resource "azuread_application" "example" {
  name                       = "example"
  homepage                   = "https://example"
  reply_urls                 = ["https://example"]
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = true
}

@hhao01-becls
Copy link

Do we have any plan to support Azure Active Directory B2C? We can use azuread provider to create an application in the B2C directory. We also need the following supports:

  • Trust Framework policy (custom policy)
  • User Flow

For now, the beta version in Microsoft Graph is in preview, which supports managing the Trust Framework policy and user flow. The details refer to trustFrameworkPolicy resource type and UserFlow resource type

@AshleyPoole
Copy link

Would love this too!

@manicminer
Copy link
Contributor

Unfortunately at the moment the Azure SDK for Go doesn't support MS Graph, so we can't yet manage B2C policies or user flows.

You should however, as mentioned by @hhao01-becls, now be able to manage B2C Applications using the azuread_application resource since these were recently made cross-compatible with regular app registrations.

@erikanderson
Copy link

erikanderson commented May 26, 2020

When creating a new application in B2C there is the option under Supported Account Types for "Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C."

Screen Shot 2020-05-26 at 2 05 00 PM

I know that azuread_application has the param available_to_other_tenants https://www.terraform.io/docs/providers/azuread/r/application.html#available_to_other_tenants however I don't think there is a param that can configure an application with that Supported Account Type.

I am playing around with this and will update here if I find anything further.

Edit: It appears this is a limitation of the current Go SDK which is not using the Microsoft Graph API. With Graph you can configure an application like:

"signInAudience": "AzureADandPersonalMicrosoftAccount",

https://docs.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-beta

@bytemech
Copy link

bytemech commented Mar 3, 2021

This would be great!

@kenorb
Copy link

kenorb commented Jun 9, 2021

Btw. azurerm provider supports some B2C resources, e.g. api_management_identity_provider_aadb2c.

@dvdvorle
Copy link

dvdvorle commented Jul 6, 2021

Would this scenario be enabled by the 2.0 milestone? Currently I get

│ Error: expected sign_in_audience to be one of [AzureADMyOrg AzureADMultipleOrgs], got AzureADandPersonalMicrosoftAccount
│
│   with [...],
│   on [..] line 9, in resource "azuread_application" "web":
│    9:   sign_in_audience = "AzureADandPersonalMicrosoftAccount"
│

@manicminer
Copy link
Contributor

Support for all values for sign_in_audience was already merged in preparation for 2.0, see #461. Thanks!

@jashby44
Copy link

jashby44 commented Aug 4, 2021

@manicminer I know 2.0 isn't released yet, but can I use a dev version now with a different source in required_providers? Happy to test and leave feedback.

@manicminer
Copy link
Contributor

manicminer commented Aug 8, 2021

Hi @jashby44, we don't have a pre-release build, however you should be able to build it locally from main, although I wouldn't recommend running in production as there are still some known bugs.

@jrasanen
Copy link

There are now APIs for creating AD B2C tenants programmatically, so is the "upstream" issue tag fixed, or is it still pending the Azure SDK for Go?

@manicminer
Copy link
Contributor

@jrasanen Thanks for pointing this out! As this is a Resource Manager API, the corresponding resource to create/manage a B2C tenant and it's subscription association will be implemented in the AzureRM provider. The AzureAD provider will implement any resources which can be managed via Microsoft Graph (or potentially any future B2C-specific APIs), to manage the constructs within a B2C tenant.

I have opened an issue to track this: hashicorp/terraform-provider-azurerm#13396

@helvetia-regel
Copy link

Linked or not: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/api_management_policy

Does the above allow for the definition of custom policies via their own XML files?

@hhao01-becls the microsoft graph client has apparently been upgraded to support the upload of policies. It is used in Github action workflows, which sound like an acceptable alternative if terraform cannot write these custom policies.

@jarifibrahim
Copy link

Hi @manicminer! Would you be open to accept a PR for adding support for B2C Userflow resource to this provider https://learn.microsoft.com/en-us/graph/api/resources/b2cidentityuserflow?view=graph-rest-beta ?

I see that azuread uses https://github.com/manicminer/hamilton/tree/main/msgraph as the Microsoft Graph API client but the client doesn't support B2C UserFlow related graph APIs.
Would it be okay to integrate microsoftgraph/msgraph-beta-sdk-go https://github.com/microsoftgraph/msgraph-beta-sdk-go/tree/main/identity/b2cuserflows which has the required API support?

@manicminer
Copy link
Contributor

@jarifibrahim We would definitely like to support this, however we are first looking to implement support in the provider for pinning, or otherwise asserting, the API version - due to this resource only being available in the beta API at this time.

We are not currently looking to use the official SDK(s).

@jarifibrahim
Copy link

jarifibrahim commented Sep 20, 2022

@manicminer is there an ETA on how long would it take to add support for pinning a version?

We are not currently looking to use the official SDK(s).

May I ask why? I am happy to add support for user flows to https://github.com/manicminer/hamilton/tree/main/msgraph as well.

Edit: Created manicminer/hamilton#179 for adding B2C User Flow API support.

@ghost
Copy link

ghost commented Oct 27, 2022

Is there any possibility to create User Flows and generic OIDC Identity Providers in a B2C tenant at this time?

@ilmax
Copy link

ilmax commented Apr 15, 2023

@manicminer I saw a PR for user flow that got incorrectly marked as being released in version 2.35 but it was apparently never merged, any reason why that one was closed? I was looking forward to it. Can you shed some light on the status, please? AFAIC support is there in the hamilton library

@manicminer
Copy link
Contributor

@ilmax Great question! Apologies, I closed that PR but forgot to update the milestone or post an explanatory comment. I've added that now, please see #1009 (comment)

@itpropro
Copy link

itpropro commented Sep 7, 2023

Azure AD B2C will probably be superseded by Entra External ID for customers in the future and it looks like most of the effort goes into that instead of AD B2C. Also, Entra ID for customers seems to have proper APIs for configuration and fortunately dropped the whole Identity Experience Framework in favour of a more modern hook system called authentication extensions.
Therefor I think this issue can be closed and a new one for "Entra External ID for customers support" could be created.

tiwood pushed a commit to tiwood/terraform-provider-azuread that referenced this issue Feb 19, 2024
* add app IDs for Front Door

* remove punctuation symbols

* Fix syntax errors

Co-authored-by: Tom Bamford <tom@bamford.io>
tiwood pushed a commit to tiwood/terraform-provider-azuread that referenced this issue Feb 19, 2024
@rmihael
Copy link

rmihael commented Nov 6, 2024

Entra External ID looks nice, but AD B2C will be supported by MS until at least May 2030 (https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#whats-happening-to-azure-ad-b2c-and-azure-ad-external-identities). Migrating from AD B2C is far from trivial, at least for now. Also External ID still lacks many features and will require time to catch up with AD B2C. Until then both existing and new deployments will benefit from support in Terraform. In particular, #715 feels like the most obviously missing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests